Custom Assessment and Remediation Release 2.5.2 API

June 25, 2025

Before understanding the API release highlights, learn more about the API server URL to be used in your API requests by referring to the Know Your Qualys API Server URL section. For this API Release Notes, <qualys_base_url> is mentioned in the sample API requests.

CAR API Versioning Support

We have scheduled a few CAR version 1 APIs for End-of-Support (EOS) and End-of-Life (EOL) from this release. We recommend migrating to the latest versions of these APIs to ensure continued compatibility, support, and access to the latest features and security enhancements.

Impacted APIs

The following table lists the APIs, along with their respective EOS and EOL timeline details:

API EOS Timeline EOL Timeline Latest Endpoint
Search List of Blocked Commands by LanguageId API

Endpoint: /sm/v1/block-commands/{id}

 December 2025 - June 2026 June 2026 /sm/v1/block-commands/search
Create Script API

Endpoint: /sm/v1/script

 December 2025 - June 2026 June 2026 /sm/v5/script
Update Scripts API

Endpoint: /sm/v1/script/{scriptid}

 December 2025 - June 2026 June 2026 /sm/v4/script/{scriptid}

For more information, refer to CAR API User Guide.

To support your understanding, definitions of key terms such as End-of-Support (EOS) and End-of-life (EOL) are given below, explaining the lifecycle of each endpoint. 

End-of-Support (EOS)End-of-Support (EOS)

End-of-Support for an API version signifies the point at which Qualys will no longer actively maintain or enhance that specific version. While the API may continue to function, it will not receive new features, performance improvements, or security updates. This phase is intended to provide a grace period for API consumers to migrate to newer versions.

Implications of End-of-Support
  • No New Features: The API version will not receive any further functional enhancements or new capabilities.
  • Limited Bug Fixes: Critical security vulnerabilities may be addressed on a case-by-case basis, but general bug fixes for non-critical issues will stop.
  • No Performance Improvements: Optimization efforts focus solely on newer API versions.
  • Reduced Support Channels: Technical support for issues related to this specific API version may become limited, and users are strongly recommended to upgrade.
  • No Guarantees of Reliability: While the API may remain operational, Qualys offers no guarantees regarding its continued reliability beyond the EOS date.

End-of-Life (EOL)End-of-Life (EOL)

End-of-Life for an API version is the final stage where the API version is officially retired and will be completely decommissioned. After the EOL date, the API will no longer be available, and any calls to it will result in errors. This marks the complete discontinuation of service for that specific API version.

Implications of End-of-Life
  • API Decommissioning: The API endpoint for this version is shut down and will no longer accept requests.
  • Complete Service Stoppage: All functionalities provided by this API version will cease to exist.
  • Error Responses: Any attempt to call the EOL API results in HTTP error codes, such as 404 Not Found or 410 Gone, or similar error messages.
  • No Support: All forms of support, documentation, and resources related to this API version will be discontinued.

Enhancement in Blocked Command APIs

You can now update or delete blocked commands by sending their unique command ID(s) in the API request. This unique identifier is introduced as a new input parameter (commandId) in the following APIs:

API Versioning in Blocked Command APIs

We have enhanced the Update Blocked Commands and Delete Blocked Commands APIs with the new version 2 (v2) endpoints to enable you to test the new API version while maintaining the production environment with the old API version.

We recommend migrating to the latest versions of these APIs to ensure continued compatibility, support, and access to the latest features and security enhancements.

Update Blocked Commands API: Introduced a new parameter

New or Updated API Updated
API Endpoint (Old Version) sm/v1/block-commands/update
API Endpoint (New Version) sm/v2/block-commands/update
Method  POST
DTD or XSD changes Not Applicable

With this new version, you can update a blocked command using the commandId parameter.

Sample: Update the blocked commandSample: Update the blocked command

API Request

curl -X POST 
'<qualys_base_url>/sm/v2/block-commands/update'
-header 'Content-Type: application/json'
-header 'Authorization: Bearer {{authToken}}'
-data '{
    "languageId": 201,
    "commandId": 206,
    "commands": "cmd1,cmd2,cmd3,cmd4",
    "user": {
      "id": "9321f0b3-5372-4107-817c-d5647de6da11",
      "name": "string",
      "userName": "string"
    }
  }'

Response

{
 "body": "Commands Updated Successfully"
}

Delete Blocked Commands API: Introduced a new parameter

New or Updated API Updated
API Endpoint (Old Version) sm/v1/block-commands/delete
API Endpoint (New Version) sm/v2/block-commands/delete
Method  POST
DTD or XSD changes Not Applicable

With this new version, you can delete a blocked command using the commandIds parameter.

Sample: Delete the blocked commandSample: Delete the blocked command

API Request

curl -X POST
'<qualys_base_url>/sm/v2/block-commands/delete'
-header 'Content-Type: application/json'
-header 'Authorization: Bearer {{authToken}}'
-data '{
    "commandIds": [2,3],
    "user": {
      "id": "9321x0x3-5372-4107-817x-x5647xx6Xx11",
      "name": "string",
      "userName": "string"
    }
  }'

Response

{
  "body": "Commands Deleted Successfully"
}

Support for Multiple Detection Conditions in Custom QID Scripts

We have extended the support for multiple detection conditions to the Scripts APIs. You can now:

  • Configure primary and secondary detection conditions to detect custom QIDs.
  • Configure the QID as Detected or Not-detected for each condition individually.

For more information, refer to the Enhanced Custom QID Detection based on Script Output section in the CAR 2.5.2 Release Notes.

The following APIs are impacted due to this enhancement:

Create Scripts API: Introduced multiple detection logic support

New or Updated API Updated
API Endpoint /sm/v5/script
Method  POST
DTD or XSD changes Not Applicable

You can use this API to create a custom QID script with two detection conditions based on the script output.

Sample: Create a custom QID detection scriptSample: Create a custom QID detection script

API Request

curl -X POST
'<qualys_base_url>/sm/v5/script'
--header 'Accept: application/vnd.qualys.car.api.v5.0+json'
--header 'Authorization: Bearer <authToken>'
--header 'Content-Type: application/json'
--data-raw
'{
    "categoryId": 605,
    "content": "bHMgLWx0cg==",
    "description": "sample description",
    "platform": "WINDOWS",
    "severity": "3",
    "threshold":300,
    "thresholdTimeUnit": "SECOND",
    "title": "Sample title",
    "typeId": 2,
    "languageId": 204,
    "scriptApprovalUserConsent": true,
    "hasParameters": true,
    "customQid": {
        "type": "Detection QID",
        "severity": "4",
        "qds": "75",
        "vulnerabilityType": "Information_Gathered",
        "cveIds": "CVE-2023-3452",
        "detectionLogic": "Use Script",
        "detectionRegex": [
            {
                "regex": [
                    "java 9"
                ],
                "cardinality": "CONTAINS",
                "status": "detected"
            },
            {
                "regex": [
                    "java 11"
                ],
                "cardinality": "CONTAINS",
                "status": "not-detected"
            }
        ],
    "params": [
        {
            "key": "string",
            "value": "string"
        }
    ]
}'

Response

{
  "errorCode": "0",
  "message": "Script created successfully",
  "body": {
    "id": 213673
  }
}

Update Scripts API: Introduced multiple detection logic support

New or Updated API Updated
API Endpoint /sm/v4/script/{ScriptId}
Method  PATCH
DTD or XSD changes Not Applicable

You can use this API to update the detection conditions defined under the detectionRegex object.

Sample: Update the custom QID detection conditionSample: Update the custom QID detection condition

API Request

curl -X PATCH
'<qualys_base_url>/sm/v4/script/{ScriptId}'
--header 'Accept: application/vnd.qualys.car.api.v4.0+json'
--header 'Authorization: Bearer <authToken>'
--header 'Content-Type: application/json'
--data-raw 
'{
    "categoryId": 605,
    "content": "bHMgLWx0cg==",
    "description": "sample description",
    "platform": "WINDOWS",
    "severity": "3",
    "threshold":300,
    "thresholdTimeUnit": "SECOND",
    "title": "Sample title",
    "typeId": 2,
    "languageId": 204,
    "scriptApprovalUserConsent": true,
    "hasParameters": true,
    "customQid": {
        "type": "Detection QID",
        "severity": "4",
        "qds": "75",
        "vulnerabilityType": "Information_Gathered",
        "cveIds": "CVE-2023-3452",
        "detectionLogic": "Use Script",
        "detectionRegex": [
            {
                "regex": [
                    "java 9"
                ],
                "cardinality": "CONTAINS",
                "status": "detected"
            },
            {
                "regex": [
                    "python"
                ],
                "cardinality": "CONTAINS",
                "status": "not-detected"
            }
        ],
    "params": [
        {
            "key": "string",
            "value": "string"
        }
    ]
}'

Response

{
  "id": 213673,
  "message": "Updated Successfully."
}

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.